The IT Paradox. Security can't be only IT's problem. "When security is discussed as an IT issue, as opposed to an issue of business risk, it is often an unbudgeted afterthought," says Mark Silver, divisional information officer at Siemens Healthcare. "But if something goes wrong, it is not IT alone that is held accountable. When I speak with CFOs, I remind them that ROI also stands for 'risk of incarceration.'"
CISOs, who Silver believes should report to CFOs or chief legal officers, need to align their approach with the company's overall risk profile. "Are you bullish? Are you heavily regulated? Is your profile changing?" asks Silver. "If the SEC is starting to fine your competitors on a certain activity, your risk profile has just gone up."
Once a CISO determines the risk profile, they need to make information security systemic to the organization. "As we start any project, we consider time, resources and quality," says Silver. "It is not a stretch to add information security to quality considerations. By making security core to your project management methodology, all of the stakeholders assess whether the project matches the risk profile."
Sign up for CIO Asia eNewsletters.